cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
826
Views
0
Helpful
13
Replies

what type(s) of ACL usually must be put on a Cisco L3 switch facig the Internet (infront of a FW)?

m-abooali
Level 4
Level 4

Hi,

 

I have a Cisco 3550 facing the Internet in front of a FW. what type(s) of generic ACLS should be configured on it? I mean is there a set of general ACLs to make sure no spoofing and other forms of attacks takes place?

 

thank you,

 

Masood

3 Accepted Solutions

Accepted Solutions

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

It depends on your environment but you can start with These. In addition, you probably want to block ICMP, Telnet, SSH, NTP from outside to your public IP. If you have to allow anything to access the device, it should only be SSH.

Here is also a site that abusive IP are being reported to, so you may want to block them if these IPs don't need to reach your internal network.

https://www.abuseipdb.com/

deny ip 192.0.2.0 0.0.0.255 any 
deny ip 127.0.0.0 0.255.255.255 any 
deny ip 224.0.0.0 31.255.255.255 any l
deny ip 10.0.0.0 0.255.255.255 any 
deny ip 172.16.0.0 0.15.255.255 any 
deny ip 192.168.0.0 0.0.255.255 any 

It is also a good practice to be selective in your alow list and allow any what you need to allow and no more (e.g https, HTTP, etc..).

HTH

View solution in original post

Hello,

 

the below is usually used for anti spoofing. The last line, permit ip any any, should be replaced with your own internal IP range:

 

ip access-list extended ANTI_SPOOF
deny ip 10.0.0.0 0.255.255.255 --> RFC1918 Private Range
deny ip 172.16.0.0 0.15.255.255 any --> RFC1918 Private Range
deny ip 192.168.0.0 0.0.255.255 any --> RFC1918 Private Range
deny ip 224.0.0.0 31.255.255.255 any --> Multicast Range
deny ip 127.0.0.0 0.255.255.255 any --> RF3330 Loopback Range
deny ip 169.254.0.0 0.0.255.255 any --> MS Windows Loopback Range
permit ip any any

View solution in original post

Then you apply the ACLs to the SVI.

HTH

View solution in original post

13 Replies 13

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

It depends on your environment but you can start with These. In addition, you probably want to block ICMP, Telnet, SSH, NTP from outside to your public IP. If you have to allow anything to access the device, it should only be SSH.

Here is also a site that abusive IP are being reported to, so you may want to block them if these IPs don't need to reach your internal network.

https://www.abuseipdb.com/

deny ip 192.0.2.0 0.0.0.255 any 
deny ip 127.0.0.0 0.255.255.255 any 
deny ip 224.0.0.0 31.255.255.255 any l
deny ip 10.0.0.0 0.255.255.255 any 
deny ip 172.16.0.0 0.15.255.255 any 
deny ip 192.168.0.0 0.0.255.255 any 

It is also a good practice to be selective in your alow list and allow any what you need to allow and no more (e.g https, HTTP, etc..).

HTH

Thank you.


Thanks,





Since this is a SW and WAN ckt is an Ethernet configured as truck, how do I bound access-group to such interface? Its not a normal router.



Regards,



Masood


Hello,

 

the below is usually used for anti spoofing. The last line, permit ip any any, should be replaced with your own internal IP range:

 

ip access-list extended ANTI_SPOOF
deny ip 10.0.0.0 0.255.255.255 --> RFC1918 Private Range
deny ip 172.16.0.0 0.15.255.255 any --> RFC1918 Private Range
deny ip 192.168.0.0 0.0.255.255 any --> RFC1918 Private Range
deny ip 224.0.0.0 31.255.255.255 any --> Multicast Range
deny ip 127.0.0.0 0.255.255.255 any --> RF3330 Loopback Range
deny ip 169.254.0.0 0.0.255.255 any --> MS Windows Loopback Range
permit ip any any

Joseph W. Doherty
Hall of Fame
Hall of Fame
You could consider blocking almost all traffic from anywhere to any IP address on the switch on all interfaces. Exceptions would be for specific kinds of traffic from/to specific IPs.

For example, on the non-Internet facing interface, you might allow SSH traffic to just that interface's IP if sourced from specific IPs and/or networks.

Further examples:

int fe0
desc outside
ip address <public>
ip access-group in outside

int fe1
desc inside
ip address <private>
ip access-group in inside

ip access-list extended outside
deny ip any host <public>
deny ip any host <private>
permit ip any any

ip access-list extended outside
deny ip any host <public>
permit tcp any host <private) eq telnet
deny ip any host <private>
permit ip any any

by <private> and <public> you mean specific IP or IP range?

how about just the Internet facing interface which is trunk associated with a SVI INTERFACE.

Then you apply the ACLs to the SVI.

HTH

Thank you.

 

best Regards,

 

Masood

Well, as Reza noted, you could (and should) apply to the SVI, but again, I recommend you apply an ACL to any interface (excluding loopbacks) with an IP. The fact that an interface doesn't directly face the Internet increases the difficulty of attacking from the Internet, but it may not fully preclude it.

Also, if I didn't make in clear, such ACLs should start by denying everything, and they you're very careful with what you permit.

Although you only asked about an Internet facing interface, you should also follow other best practices to harden the device, such as disabling services not needed and/or using ACLs on services that use/allow them (like VTY, SNMP).

Thank you!

While i understand the facts you outlined, i still do not see what IPs i need to give not Internet facing ports? In what fashion? They are switchports.

Best Regard,

Switchports don't have IPs on them, right?

SVI and/or routed ports do have IPs. Those are doorways to your device. It's those you want your first layer of defense, i.e. an ACL.

Thank you.
Review Cisco Networking for a $25 gift card